This post is also available in: עברית (Hebrew)
By Lior Mazor
The year 2014 was a turning point for mobile applications, having surpassed all other softwares in accessing the internet from a personal computer or a conventional browser. Along with that, the number of attacks on applications have also risen, causing a big rise in the number of attacks and criminal activity in different applications. According to FireEye security company, a sharp rise of 188% in application vulnerability was seen in android devices compared to 2011, and up to 262% in ISO devices.
Mobile applications have become an integral part of our lives and are expected to become even more substantial and dominant. At the same time, we’re witnessing applicative attacks focusing on sensitive information theft (such as credit cards), information exposure, changes being made or information being stolen directly from the database. These attacks are being carried out, among other ways, by bypassing the app’s indentification system, stealing other users’ digital identity and receiving permission from the system. These applicative attacks can even include concealing evidence, damaging the system’s availability and the application’s reliability. Results of a successful attack can be financial damage, causing an opening for law suits, regulations not being kept (such as PCI standard – a credit card standard) and sever damage to the name of the company behind the app’s development.
An HP security survey from 2014 has shown that the world of apps in general is highly problematic when it comes to information security. The research showed that 80% of apps are not secured – having been integrated in a wrong way, or from having inherent flaws, including problems with definitions, older versions and configuration issues. More than half of the applications examined have displayed weaknesses in exposing data about the app, its integration, or information about its users. The main reasons for vulnerability are located in the development:
- Short Time To Market (TTM) – Using development methods such as Agile Development leads to an average TTM for an original mobile application of between 14-20 weeks, a datum that also depends on the complexity as well as other factors in the app. Such fast development makes it hard to combine security information.
- Code Reuse – Mobile app developers tend to use the same code segments, called reuse, for the code iteslf, which automatically creates the existance of a security information problem in a wide range of products (reusing the segments again and again, which leads to widthwise damages.
- Using an open code – Popular opinion among mobile apps’ developers today is that open code systems are automatically “secured and safe to use”, which is of course entirely wrong and can cause multiple security vulnerabilities in different applications, since oftentimes open code modules are maintained by lone developers who are not always aware of the principals of secured development.
So how can information security be combined with mobile apps development:
- In the stage of development – giving information security instructions for secured architecture of the system as well as planning defense systems to answer for breaches arising in the analysis stage.
- Development in a secured way according to known principals (such as OWASP) and integrating Security development lifecicles as part of the stages of development and tests.
- Conducting penetration tests for a better picture of the information security in a way that can assist in evaluating the app’s level of security – by simulating an attack, analysing and investigating systems, testing for the defense systems’ response etc.
- Conducting an automated Code Analysis for a better picture of the information security inside the application code while avoiding common security flaws in the software. The system scans automatically for the code to trace security flaws in order to detect them before an actual attack (system for scanning codes such as: Checkmarks, Appscan, Seeker and Fortify).
- Combining automated code analysis as part of the secure development cycle. Automatic code scans must be combined as an integral part of of development process (part of the Build) and it’s recommended to combine them in the bug detection system to avoid developers “overlooking/ignoring” detected information security flaws.
- Protecting the app’s infrastructure with a Web Application Firewall (WAF) as a buffer between the app to the system’s servers. WAF products were meant to hangle applicative breaches and include a system to detect attack based on signature and studying the application.
- Updating applications for mobile in order to fix information security weaknesses revealed in the development language in mobile devices to protect the application and the mobile device.
Lior Mazor is a software engineer, with a B.sc in computer sciences and mathematics, experience of over 9 years in information security, applying and integrating information security systems and project management in Israel and abroad. Certified Leading Auditor for ISO 27001, and certified CISSP. Mazor also has experience in development, conducting applicative penetration tests, code examination as well as cyber attack and defense examination.